how it works

Legal moves into the pipeline — before your coffee even gets cold.

Open source · AGPL-3.0

From infrastructure scan to legal draft — pre-filled, source-cited, ready for review.

Lex-Orchestra reads your infrastructure and maps it to real obligations.
Deterministic. Explainable. Legal in the loop.

CRA Art. 14 applies September 2026. EU AI Act deployer obligations are live now. Lex-Orchestra evaluates both — directly from your code.
Scan your infrastructure

The Scout reads your repo directly. No forms. No memory. The code is the real data flow.

Map to regulations

The Context Graph traverses verified legal norms against your actual stack. No guessing — every finding traceable to an official source.

Graph traversal — seeded from official sources, growing continuously
GDPR Art. 28 · DPA AI Act Art. 50 · Limited ISO A.9.4.1 · ToM NIS2 Art. 21 · Incident /scan
MATCH (s:Service {name: "Stripe"})-[:REQUIRES]->(d:DocumentType)
OPTIONAL MATCH (d)-[:BASED_ON]->(l:Law)
OPTIONAL MATCH (s)-[:LOCATED_IN]->(c:Country)-[:REQUIRES_MECHANISM]->(t:TransferMechanism)
RETURN s.name, d.type, l.name, l.article, s.dpa_url, t.name
📋
DPA required
Stripe → GDPR Art. 28 → DPA obligation → stripe.com/de/legal/dpa
deterministic
AI Act Manifest
OpenAI → Art. 50 → Limited risk deployer obligations
EU AI Act
ToM finding — access control gap
Hardcoded API key → ISO A.9.4.1 → OWASP A01 → GDPR Art. 32
high
🌍
SCCs required
USA not GDPR-adequate → Art. 46 → Standard Contractual Clauses
transfer
Privacy by architecture

The LLM drafts text. The graph defines what applies. Your data never leaves your network.

LLM never sees
company namefile pathsAPI keyssource codecustomer data
LLM only sees
service_type: paymentcountry: USAlaw: GDPR Art.28risk: Limited
Principle: Compliance comes from the graph, not the LLM. Outputs reference graph nodes with confidence: 1.0 from primary sources (BSI, EUR-Lex, ISO).
Documents generated

Ready for legal review — not for legal discovery.

📋
DPA
Pre-filled with Stripe's DPA URL, your company data, GDPR Art. 28 legal basis.
ready to sign
🛡
ToM
Technical Measures
BSI 3-column format. Access control gap with ISO A.9.4.1 reference and remediation.
tom.md
1 open finding
AI Act Manifest
OpenAI classified as Limited risk. Art. 50 transparency obligations per deployer role.
Art. 50
🌍
SCCs
Standard Contractual Clauses for USA data transfers. GDPR Art. 46 legal basis.
Art. 46
Delivered via your preferred channel · committed to legal/ · assembled locally on your machine